Capture This: Real Time Packet Processing with FPGAs

The electronics/IT market pushes for providing everyone high-speed network connections, allowing to exchange the more information as possible in short time: in terms of speed, today, the most common wired connections run at a rate of 1 Gbps. From a security point of view, one might be interested in establishing a secure, encrypted communication with another peer. At the same time, one should also be interested in inspecting the exchanged data and set some conditions before actually accepting them.

Considering traditional computer architecture, the Central Processing Unit (CPU) needs to interact many times with memory in order to evaluate such conditions and eventually provide active modifications to the received data. However, the high traffic rate is now closer to the processor speed, that might struggle in performing these tasks in due time. This shuttling of data between local memory and processor is typically referred to as Von Neumann bottleneck and leads to large expenditures of time and energy. To solve this problem, one can change the architecture and opt for a non-Von Neumann class of devices, like Field Programmable Gate Arrays (FPGA).

Based on the previously introduced problems, the goal of this research is to design an application based on an FPGA architecture, to be used in a security environment. Such application consists in processing the network packets exchanged across a wired Ethernet connection, in real time. This allows filtering the exchanged data according to a specific set of conditions, programmed by the user. Moreover, in order to guarantee a secure communication between two peers, it also includes an encryption scheme, to manage encryption/decryption of data in real time. As a result, this application is referred to as a toolbox, due to the existence in hardware of different options of configuration, to be enabled by the user: this opens a wide selection of possibilities in terms of security features. The beauty of all such options consists of a transparent interaction with the data flow, at a cost of a negligible latency (less than a couple of hundreds of nanoseconds). This works even when data are changed on-the-fly, as during the encryption/decryption process. To mention a couple of examples, one can detect and eventually prevent an attempt of data exfiltration, by enforcing a proper MAC blacklist or by inspecting the packet’s data in real time, before such packets are being transmitted. Moreover, one can even become invisible on the network, by dropping all the ICMP packets.

The device used for this purpose is a hybrid solution, defined as System on (Programmable) Chip (SoC), that embeds a classic CPU architecture into an FPGA logic-fabric. As a result, depending on the implemented resource balance, there are different approaches to achieve the goals of this research. The talk will mostly focus on the approach that allowed the creation of the toolbox, that is exploiting mostly the FPGA resources and capabilities and rarely the processor. Particular attention will be devoted to the advantages and disadvantages of such a choice. In the end, an overview on the future upgrades will be provided, stimulating the attendee’s curiosity on such an interesting topic combination as FPGA design and security.

MAIN CONFERENCE
Location: Conf Track 2 Date: November 28, 2018 Time: 2:00 pm - 3:00 pm Matteo Collura